[tbb-bugs] #17895 [Tor Browser]: Tor Browser Bundle installer subject to DLL hijacking
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 21 19:34:24 UTC 2015
#17895: Tor Browser Bundle installer subject to DLL hijacking
-------------------------------------------------+-------------------------
Reporter: ericlaw | Owner: tbb-
Type: defect | team
Priority: High | Status: new
Component: Tor Browser | Milestone:
Severity: Major | Version:
Keywords: tbb-gitian, tbb-security, | Resolution:
TorBrowserTeam201512, GeorgKoppen201512 | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------------------------------+-------------------------
Comment (by dcf):
Replying to [comment:2 dcf]:
> According to the blog post, we just need to update NSIS to version 2.49.
>
> It seems the DLL hijacking fix was actually in version 2.47 (released 08
December 2015):
In the longer term we want to upgrade to the NSIS 3.0 series, because it
will enable us to use more languages in the installer: see #13469,
especially comment:6:ticket:13469.
But according to http://nsis.sourceforge.net/Main_Page, the current
version 3.0b2 was released 04 August 2015, so it probably doesn't have the
DLL hijacking fix. Eric's blog post says: "The v3 beta branch doesn’t
appear to have the fix, yet."
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17895#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list